Recommended Router and Firewall Settings
Explore the settings and parameters to configure to ensure your router and firewall devices are ready for VoIP services.
Written by Adrian Angwenyi
Updated at April 14th, 2025
Table of Contents
General Configuration
WARNING: It is recommended to consult your IT, MSP (Managed Service Provider), or another network professional when configuring advanced network settings or devices.
While resolving any network issues, we also recommend configuring and testing Bandwidth Management/Traffic Shaping policies that prioritize VoIP traffic on your router/firewall.
Settings to Disable
- SIP ALG (Application Layer Gateway) functions such as SIP Transformations, SIP Application Helpers, SIP Normalization, etc..
- SPI (Stateful Packet Inspection)
- AV Client Enforcement on any IP assigned to a phone
- Content Filtering on any IP assigned to a phone
Settings to Enable
- Bandwidth Management/Traffic Shaping (See below for a list of our network blocks and bandwidth requirements)
- Default UDP session timeout set to 300 seconds
- Consistent NAT (Sonicwall)
-
Load balancing policy configured for ingress and egress of phones only utilizing the same WAN interface. (If applicable)
DANGER: We do NOT support the use of load-balancing for traffic entering and exiting multiple WAN interfaces.
For SD-WAN or Multi-WAN setups, please ensure that all traffic is being sent out through a single WAN interface, otherwise provisioning and directories will NOT work.
- Inbound and outbound traffic on ports and subnets listed below
- DNS resolution for the phones
Subnet and Port Configuration
SpectrumVoIP Public Subnets
- 199.71.209.0/24
- 24.227.249.0/25
- 72.249.136.32/28
- 206.123.122.32/27
- 212.69.157.32/27
- 40.143.31.64/27
- 45.41.5.0/24
- 12.150.91.0/24
Ports - Stratus Platform
Main Utilized Ports
- 5060-5062 UDP - SIP
- 20,000-40,000 UDP - RTP
- 80, 443 TCP - HTTP/HTTPS
Portal Dynamic Updates
- 8001 - TCP
Text-to-Speech Services - TCP and UDP
- 35.175.185.150:3001
- 35.175.185.150:8000
- 44.212.88.215:8000
- 54.149.243.27:3001
- 54.149.243.27:8000
- 54.70.235.134:3001
- 54.70.235.134:8000
StratusMEETING - TCP and UDP
- 54.188.133.147:3443
- 3.130.158.184:3443
- 35.183.150.146:3443
StratusWEB PHONE
- 9002 - TCP - websockets
Ports - Enswitch 1 and 2 Platforms
- 5060-5062 UDP - SIP
- 10,000-20,000 UDP - RTP
- 80, 443 TCP - HTTP/HTTPS
Push Notifications Ports
Google's Firebase Cloud Messaging (FCM)
- 443, 5228, 5229, 5230 - TCP
Apple's Push Notification Service (APNs)
- 5223, 443, 2197 - TCP
More Info: Port 5223 is the primary port for communication with APNs. Ports 443 and 2197 are used for sending notifications from MDM to APNs and as a fallback on Wi-Fi if 5223 can't be reached.
Bandwidth Requirements
Voice-only applications utilize G.711 U-Law as the primary codec and require 87.2 Kbps of bandwidth per active call. We've found a good rule of thumb is to round the requirement up to 100Kbps to account for signaling and overhead.
For example… A 10Mbps/1Mbps ISP connection that is solely dedicated to the phones would support 10 concurrent phone calls.
Option 132: Automatic VLAN Assignment
Option 132 in DHCP is a feature that enables automatic VLAN assignment. When a device connects to the network, it sends a DHCP request containing its MAC address. The DHCP server that has Option 132 configured identifies the device and assigns a suitable VLAN.
NOTE: This only works for Yealink brand phones and needs to be made as a custom option on a DHCP Server.
To create a DHCP VLAN option on your DHCP server to allow Yealink phones to automatically connect and provision when plugged in, the following can be configured:
- Option 132: Set Voice VLAN ID
- Type = String (ASCII)
- Value = 'VLANTAG' for example '20' for VLAN 20
This DHCP option should be applied to your native DHCP server so that the phones receive the configuration when first plugged in. This may also be applied to the voice VLAN if needed.